Security Experts: Retail Sector More Aware, Not Necessarily More Secure

Last year, the big breach hitting the scene during the holiday season was aimed at Sony. In 2013, it was Target. The question now is, as holiday shoppers hit their favorite spots this year, are retailers more prepared in the event of a cyberattack? Security experts say: Sort of.

One thing that is definitely clear is that with all of the breaches in recent years, awareness is now at an all-time high.

’The Target breach, in particular, was a wake-up call for the sector ... and we’ve seen a lot of response since then,’ said Stephen Boyer, founder and chief technology officer at BitSight. ’I don’t think you can claim ignorance anymore.’

[Related: Breach Barrage: The Most Targeted Vertical Might Surprise You]

Sponsored post

Bitsight offers a security ratings platform, and in its research comparing the security performance of multiple industries, retail ranked second only to finance, with a score of 700 out of a possible 900 on the BitSight ranking (the finance industry scored 710). The next closest sector was technology, with a score of 680. Boyer said that ranking is ’encouraging.’

’We’re seeing general performance improvements [in retail] across the board,’ Boyer said. ’Awareness is high and it’s definitely become a board-level issue. We’re starting to see and hear that they’re taking it much more seriously,’ he said.

Jeff Schmidt, CEO and founder of JAS Global Advisors, a security consultancy based in Chicago, said he is ’cautiously optimistic’ when it comes to retail security this holiday season. Schmidt said he has seen the sector make a lot of improvements, including security investments overall and those specifically around chip-and-pin cards.

’[Retail companies have] gotten better. These are really big, complicated companies and nobody is going to be perfect yet, but they’ve gotten better,’ Schmidt said.

The impact of a breach on a retailer is very real, with a recent Accenture survey finding that 12 percent of loyal customers won’t return to a retailer after a data breach. A larger number, 36 percent, will slow their shopping with the retailer, the report said. So far in 2015, there have been nine reported data breaches in the retail and merchant sector, according to the Privacy Rights Clearinghouse. That includes breaches at CVS Pharmacy, Starbucks, Sally Beauty Supply, Toys ’R’ Us and more. That compares with 43 reported breaches in 2014, most notably Staples and Home Depot.

The holiday season, in particular, is a critical time for testing the strength of security systems, as it is by far the busiest time of the year for most retailers, said Ajay Arora, CEO and co-founder of Vera. That means not only that retailers are both distracted with keeping their systems up and running during an influx of business, but also that hackers are more likely to save their best attacks when lucrative credit card and personal information records flood into the systems, Arora said. Schmidt added that an influx of temporary talent during the holiday season could also complicate things, as those workers tend to have less training and less commitment to the company.

However, despite the high level of awareness, there is still a ways to go, Vera's Arora said, as not all the impetus has been converted into action yet. Arora said he sees a lot of companies investigating which solutions would be the right fit, but the implementation of those technologies over the past year has been slow.

’People have woken up ... but a lot has not been done and we’re kind of in the same state we were a year ago,’ Arora said. ’Some people would say that 50 percent of the problem is realizing you have a problem, but, unfortunately, when it comes to cybersecurity that is only about 2 percent of the problem.’

Though, to be fair, Arora said a year isn’t necessarily that long of a time for companies the size of many large retailers to make large technical changes, comparing it to turning a battleship.

’I think it’s slow, but steady progress in the right direction. But, there’s still so much at risk,’ Arora said. ’They’re definitely shifting budgets more toward security but we haven’t seen the fruits of it yet. This holiday season will prove a lot about where the companies stand.’